Legal · DPA

Data Processing Agreement

Last updated · 14 May 2026 · UK GDPR Article 28

Why this exists, in plain English
  • When you put your employees' or clients' data into our Service, UK GDPR calls you a "Controller" and us a "Processor". Article 28 says we need a written contract about it. This is that contract.
  • It sits alongside our Terms — automatic, no separate signature needed. Enterprise customers can request a counter-signed version.
  • It commits us to: process only on your instructions, keep your data secure, tell you fast (within 72 hours) if anything goes wrong, only use trusted subprocessors, and return / delete your data when you leave.
  • It commits you to: have a lawful basis to put the data in there in the first place, give your people their own logins, keep the data accurate.
  • It covers what happens if you want to audit us — we share independent audit reports rather than enable individual on-site audits at scale.

1. Parties & scope

This Data Processing Agreement ("DPA") forms part of the contract ("Terms") between Site Lynx Group Ltd("Processor", "us") and the customer ("Controller", "you") using the Service. It governs the processing of personal data we carry out on your behalf as your processor.

Where you upload personal data of people who are not parties to the Terms (typically your employees, contractors, or business contacts), you are the Controller and we are the Processor. This DPA sets out how we handle that data on your behalf.

This DPA applies automatically when the Terms apply. No separate signature is required, though enterprise customers can request a counter-signed version.

2. Definitions

Terms in capitals not defined here have the meaning given in the Terms or in UK GDPR.

UK GDPR
The UK's retained version of Regulation (EU) 2016/679 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
Data Protection Laws
UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other applicable UK data-protection law.
Personal Data
Has the meaning given in UK GDPR. In this DPA, it refers specifically to personal data processed by us on your behalf in connection with the Service.
Processing
Has the meaning given in UK GDPR — basically any operation performed on Personal Data.
Sub-processor
A third party we engage to process Personal Data on your behalf (cloud host, payment processor, email delivery, etc.).
Data Subject
A living person to whom Personal Data relates (typically your employees, clients, or contacts).

3. Nature, purpose & duration of processing

Subject matter
Provision of the Service to you under the Terms.
Nature of processing
Storage, retrieval, transmission, display, and use of Personal Data to deliver the Service features you have subscribed to (HR records, time tracking, document creation, invoicing, estimating, communications).
Purpose
Enabling you to use the Service to manage your business operations.
Duration
For as long as the Terms remain in force, plus retention periods set out in our Privacy Policy or required by law.
Types of Personal Data
Identification (name, work email, phone), employment data (role, start date, NI number where you provide it), payroll data (pay rate, tax code), location data (where you use GPS clock-in features), document content (anything you put in RAMS, invoices, etc.), and any other data you choose to put into the Service.
Categories of Data Subjects
Your employees, contractors, clients, suppliers, business contacts, and any other individuals whose data you put into the Service.

4. Your obligations as Controller

  • You confirm you have a lawful basis under UK GDPR to put any Personal Data into the Service.
  • You confirm you have given any required notices to Data Subjects about how their data will be processed.
  • You will not put special-category Personal Data (health, biometric, etc.) into the Service unless you have a lawful basis specific to that category and have performed any required Data Protection Impact Assessment.
  • You will not put data relating to criminal convictions into the Service unless you have a lawful basis under Schedule 1 of the DPA 2018.
  • You will give your Users individual logins rather than sharing accounts. Where individual accountability matters (audit logs of who did what), this is your obligation.
  • You are responsible for the accuracy of the Personal Data you put into the Service and for keeping it up to date.

5. Our obligations as Processor

In line with Article 28(3) of UK GDPR, we commit to the following.

(a) Processing only on your instructions

We will process Personal Data only on your documented instructions, including with regard to international transfers. Your use of the Service constitutes your instructions; if you need us to process in a way the Service doesn't natively support, contact us first.

If we're legally compelled to process Personal Data outside your instructions (e.g. court order), we'll tell you first unless the law forbids it.

(b) Confidentiality of personnel

Anyone we let access Personal Data is under a binding duty of confidentiality, either contractually or statutorily. Access is restricted to those who need it for the Service.

(c) Security measures (Article 32)

We have technical and organisational measures appropriate to the risk, including:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
  • Logical access controls — role-based, with audit logging
  • Multi-factor authentication available on all accounts; required for staff access to production
  • Network segmentation, vulnerability scanning, dependency monitoring
  • Daily backups with 30-day point-in-time recovery, geographically separated
  • Incident-response runbook with on-call rotation
  • Annual independent penetration testing once we cross 100 paying customers
  • Background checks on staff with access to production data

(d) Sub-processors

You give us general written authorisation to engage Sub-processors to help deliver the Service. Current categories include cloud hosting and database, payment processing, transactional email, error monitoring, AI processing, and customer support tooling.

A current Sub-processor list with names is available on request to info@site-lynx.co.uk. We will give you at least 30 days' notice of any new Sub-processor that processes service-critical Personal Data, by email and an in-app banner.

If you reasonably object to a new Sub-processor on data-protection grounds within that notice period, we will work with you in good faith to resolve. If we can't, you may terminate your subscription without penalty and we'll refund prepaid fees for the unused period.

All Sub-processors are bound by written contracts imposing data-protection obligations no less protective than those in this DPA.

(e) Assistance with Data Subject rights

We'll provide reasonable assistance, considering the nature of the processing, to enable you to respond to requests from Data Subjects exercising their rights under Chapter III of UK GDPR (access, rectification, erasure, restriction, portability, objection, automated decisions).

Most rights are exercisable directly through the Service — Users with appropriate permissions can search, export, edit, and delete records. For anything not directly self-serve, email info@site-lynx.co.uk.

(f) Personal data breaches

We will notify you without undue delay — and in any case within 72 hours — of becoming aware of any Personal Data Breach affecting Personal Data we process on your behalf. The notification will include, to the extent we can:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects + records affected
  • Likely consequences
  • Measures taken or proposed to address it
  • Contact details for further information

We'll assist you in meeting your own Article 33/34 obligations (notifying the ICO and affected Data Subjects). The decision to notify Data Subjects in any case sits with you as Controller.

(g) Assistance with DPIAs & prior consultation

We'll provide reasonable assistance with any Data Protection Impact Assessment you carry out, and with any prior consultation with the ICO under Article 36 — taking into account what information is in our knowledge.

(h) End-of-services data handling

On termination or expiry of the Terms, you choose whether we return all Personal Data or delete it. We default to: 30 days to export, 90 days in cold storage, then deletion within 7 days of the storage period ending.

You can also delete Personal Data during the term — either individual records via the Service or your whole account.

We may retain Personal Data after the term where we have a legal obligation to do so (e.g. financial records under HMRC rules). Any retained data remains subject to this DPA and our Privacy Policy.

(i) Making information available + audits

We'll make available to you the information you reasonably need to demonstrate compliance with our obligations under Article 28.

You may audit our compliance with this DPA. We'll respond to reasonable audit requests in good faith. We may satisfy audit requests by providing recent independent audit reports (e.g. SOC 2, ISO 27001) where they cover the relevant scope, rather than enabling on-site customer audits, because direct customer audits at scale would themselves create a security risk. Enterprise customers may negotiate on-site audit rights in a counter-signed version of this DPA.

Audits are at your cost and must respect reasonable confidentiality and operational constraints. We'll give you the results of our own annual penetration testing on request, subject to a confidentiality undertaking.

6. International transfers

Our primary processing region is the United Kingdom. Where Personal Data is transferred outside the UK, we rely on one of:

  • UK adequacy regulations
  • The UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum, between us and the transferee
  • Article 49 derogations (limited cases, with notice)

By accepting this DPA, you authorise the transfers necessary to deliver the Service, subject to those safeguards.

7. Liability

Each party's liability for breaches of this DPA is subject to the limitation of liability in section 12 of the Terms. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under UK law (e.g. for fraud, or for fines under UK GDPR where personally liable).

8. Order of precedence

If anything in this DPA conflicts with anything in the Terms, this DPA prevails for matters of personal data processing. For everything else, the Terms prevail.

9. Term & termination

This DPA takes effect on the Effective Date of the Terms and continues for as long as the Terms remain in force, plus any retention period required by law.

On termination of the Terms, the end-of-services data-handling obligations in section 5(h) apply.

10. General

This DPA is governed by the law of England and Wales. Disputes about it are subject to the same dispute-resolution mechanism as the Terms (section 16 of the Terms).

We may update this DPA from time to time. Material changes follow the same 30-day notice + in-app banner process as for the Terms. Non-material changes (clarifications, statutory references) we publish with an updated date.

11. Contact

For any data-protection matter — including exercising rights, notifying us of a breach you suspect on our side, or requesting a counter-signed version of this DPA — write to:

Site Lynx Group Ltd · Data Protection
Post · available from the public Companies House register (company 17151377)
Companies House 17151377 · ICO Registration ZC127371